Rule: At least one multi-region AWS CloudTrail
This rule ensures presence of multi-region AWS CloudTrail.
| Rule | At least one multi-region AWS CloudTrail should be present in an account |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description:
For compliance with the NIST 800-171 Revision 2 security standard, it is required to have at least one multi-region AWS CloudTrail enabled in an AWS account. CloudTrail is a service provided by AWS that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Multi-region CloudTrail ensures that activity logs for all regions where your AWS resources are deployed are captured, providing an additional layer of security and auditability.
Troubleshooting Steps:
- 1.
Ensure that you have the necessary permissions: Make sure that you have the required IAM permissions to create, configure, and manage CloudTrail in your AWS account.
- 2.
Check CloudTrail service status: Validate if the CloudTrail service is available in your account's region, as certain AWS services may not be available in all regions.
- 3.
Verify if there are existing CloudTrail trails: Check if any existing CloudTrail trails are already active in your AWS account. If you have multiple accounts within your organization, ensure that you have at least one multi-region CloudTrail enabled in each account.
- 4.
Review CloudTrail regions: Review the AWS regions where your resources are deployed. Ensure that you have CloudTrail trails active in those regions, or consider adjusting your resources to align with regions where CloudTrail is enabled.
- 5.
Check for any errors in trail configuration: Review the configuration of your existing CloudTrail trails and verify if there are any errors or misconfigurations. This includes ensuring that appropriate S3 buckets are specified as the destination for CloudTrail logs and that logging is enabled for the required AWS services.
Necessary Codes:
No specific code is required for this compliance requirement. However, you may need to make use of AWS CLI commands to manage and configure CloudTrail if manual changes are necessary.
Step-by-Step Guide for Remediation:
- 1.
Log in to the AWS Management Console (https://console.aws.amazon.com).
- 2.
Navigate to the CloudTrail service by clicking on "Services" in the top navigation bar, searching for "CloudTrail," and selecting it from the drop-down menu.
- 3.
On the CloudTrail dashboard, click on "Trails" in the left sidebar.
- 4.
Check if there are any existing trails listed. If there are no trails or they do not cover all the regions where your AWS resources are deployed, proceed to the next step. Otherwise, make necessary adjustments to ensure at least one multi-region trail is active.
- 5.
Click on the "Create trail" button.
- 6.
Provide a name for the trail that indicates its purpose and select the checkbox for "Apply trail to all regions."
- 7.
Choose an appropriate S3 bucket where the CloudTrail logs will be stored. If you need to create a new bucket, click on the "Create a new S3 bucket" button and follow the prompts to create one.
- 8.
Configure additional settings as per your requirements, such as log file encryption, CloudWatch logs integration, event selectors, etc. Ensure these settings align with your organization's compliance policies.
- 9.
Click on "Create" to create the CloudTrail trail.
- 10.
Validate that the newly created trail appears in the list of trails and is marked as "Enabled" and covering all desired regions.
- 11.
Repeat the above steps for each AWS account within your organization, ensuring that at least one multi-region CloudTrail trail is active in each account.
By following the above steps, you will have successfully remediated the NIST 800-171 Revision 2 requirement of having at least one multi-region AWS CloudTrail in your account.